bot defense -> IBM Qradar issue
Hey all, I have a problem with data sent from BIG-IP Bot Defense module to IBM Qradar. I checked it with tcpdump and it seems that some unnecessary characters are glued at the beginning of the payload, disrupting Qradar parser. I tried switching from tcp to udp to no avail. the additional payload is seemingly random. Did anyone encounter similar problem? tcpdump -i EXT-ASA-VLAN -c 2 host 10.111.111.100 and dst port 514 -vvvv -nn -ASs 1514 tcpdump: listening on EXT-ASA-VLAN, link-type EN10MB (Ethernet), capture size 1514 bytes 12:49:54.926122 IP (tos 0x0, ttl 255, id 20545, offset 0, flags [none], proto TCP (6), length 2785) 10.234.111.165.60939 > 10.111.111.100.514: Flags [P.], seq 3888336727:3888339472, ack 4155562241, win 4380, length 2745 E. .PA....ls <---------------this is weird stuff glued to payload .o. ....OW....P....... <rest of payload goes here>Asymmetric traffic because of closing SAT on VIP
Hi all, I closed SAT (from Automap to None) on the DNS VIP, because of passing through the source IP addresses which make DNS queries to make the Qradar logs meaningfull. I also set the DGW of the DNS nodes behind the VIP as F5 self IP. We started to take the DNS logs to Qradar with the source of the queries, but i realized that the DNS doesn't work for the clients/servers which are at the same subnet with the DNS servers behind the VIP no longer. Because, the DNS servers are returning directly to the client/servers which are at the same subnet, not returning to F5. I have a workaround solution for that case (creating another DNS VIP with the same nodes and setting the SAT as Automap) but with this solution we cannot get the logs for the relative subnet. Any solution to prevent this asymmetric traffic without openning the SAT? (BIG IP LTM 12.1.0) Thanks